An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects

Wang, Ying; Chen, Bihuan; Huang, Kaifeng; Shi, Bowen; Xu, Congying; Peng, Xin; Wu, Yijian; Liu, Yang

doi:10.1109/icsme46990.2020.00014

Cited by 78 publications

(27 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, dependency analysis has been a hot research topic for many other programming languages [38]- [44]. The concepts of these approaches, such as resolving compatibility issues caused by the evolution of libraries [45], [46], automated replacing outdated libraries [47], or updating deprecated library APIs [48], we believe, should also be appliable to Python software applications.…”

Section: Dependency Analysismentioning

confidence: 99%

Restoring Execution Environments of Jupyter Notebooks

Wang

Zeller

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

More than ninety percent of published Jupyter notebooks do not state dependencies on external packages. This makes them non-executable and thus hinders reproducibility of scientific results. We present SnifferDog, an approach that 1) collects the APIs of Python packages and versions, creating a database of APIs; 2) analyzes notebooks to determine candidates for required packages and versions; and 3) checks which packages are required to make the notebook executable (and ideally, reproduce its stored results). In its evaluation, we show that SnifferDog precisely restores execution environments for the largest majority of notebooks, making them immediately executable for end users.

show abstract

Section: Dependency Analysismentioning

confidence: 99%

Restoring Execution Environments of Jupyter Notebooks

Wang

Zeller

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Some articles track and study the specific scenarios of using components with known vulnerabilities. Wang et al (Wang et al 2020) study usages, updates and risks of OSS in JAVA projects, and provide experiences on maintaining them as third-party libraries. Cadariu et al (Cadariu et al 2015) point out that the use of third-party components may introduce security vulnerabilities in the software system.…”

Section: Security Risk By Using Ossmentioning

confidence: 99%

“…However, improper use of OSS can cause *Correspondence: xulili@iie.ac.cn 1 Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China Full list of author information is available at the end of the article potential serious security risks. Wang et al (Wang et al 2020) analyzed 806 software and pointed out that the use of outdated OSS is a common phenomenon, software containing outdated OSS is more likely to be exploited. For example, a severe security vulnerability called Heartbleed (Heartbleed 2020) was found in version 1.0.1 before 1.0.1g of OpenSSL, a popular cryptographic software library.…”

Section: Introductionmentioning

confidence: 99%

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Ban

Xiao

et al. 2021

Cybersecur

View full text Add to dashboard Cite

Codes of Open Source Software (OSS) are widely reused during software development nowadays. However, reusing some specific versions of OSS introduces 1-day vulnerabilities of which details are publicly available, which may be exploited and lead to serious security issues. Existing state-of-the-art OSS reuse detection work can not identify the specific versions of reused OSS well. The features they selected are not distinguishable enough for version detection and the matching scores are only based on similarity.This paper presents B2SMatcher, a fine-grained version identification tool for OSS in commercial off-the-shelf (COTS) software. We first discuss five kinds of version-sensitive code features that are trackable in both binary and source code. We categorize these features into program-level features and function-level features and propose a two-stage version identification approach based on the two levels of code features. B2SMatcher also identifies different types of OSS version reuse based on matching scores and matched feature instances. In order to extract source code features as accurately as possible, B2SMatcher innovatively uses machine learning methods to obtain the source files involved in the compilation and uses function abstraction and normalization methods to eliminate the comparison costs on redundant functions across versions. We have evaluated B2SMatcher using 6351 candidate OSS versions and 585 binaries. The result shows that B2SMatcher achieves a high precision up to 89.2% and outperforms state-of-the-art tools. Finally, we show how B2SMatcher can be used to evaluate real-world software and find some security risks in practice.

show abstract

“…Developers are compelled to update their libraries in an effort to escape vulnerabilities, but the very fixes may also contain breaking changes. Wang et al, when studying the update risk of Java libraries have found that an impressive 35% of studied libraries, more than 4200 libraries, had more than 300 deleted APIs between a vulnerable version and its corresponding fix (WANG et al, 2020).…”

Section: Compatibility Often Breaksmentioning

confidence: 99%

“…Wang et al approach this phenomenon with various metrics, such as "usage outdatedness", "update intensity" and "update delay". They find that very few projects keep all their libraries up-to-date and more than 50% of projects take longer than 60 days to update dependencies (WANG et al, 2020).…”

Section: Compatibility Often Breaksmentioning

confidence: 99%

Module Integration Using Graph Grammars (MIGRATE)

Cravo

Ribeiro

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Software, be it desktop, mobile or web, is becoming more and more connected. Software development is also becoming more connected with ecosystems comprised of networks of millions of packages. Engineering software today involves writing code that weaves together libraries, services and applications. Such processes are under constant changes due to both internal requests (e.g. new features) or external demands (e.g. dependency updates). Avoiding integration bugs in this scenario can be quite a challenge regardless of common strategies such as testing and versioning. We studied graph grammars to find a set of grammars (verification grammars) that represent how software modules integrate and leveraged existing graph grammar analysis, specifically critical pair analysis, to point out possible integration problems in such grammars automatically. Furthermore, we created a formalism (module nets) to represent how software modules share information and leveraged graph grammars, by the fact that they can be proven to have functional behavior (confluence), to translate instances of module nets to verification grammars, enabling developers to create and modify module nets and then have warnings concerning integration problems automatically generated. We summarized this process in a framework we call module integration using graph grammars (MIGRATE), which we illustrate in this work through a case study with a fictitious search engine for research articles. Our approach demonstrates how to leverage critical pair analysis of graph grammars to automatically uncover a few integration bugs. It also serves as a pathway for future research exercising other graph grammar analyses to full extent.

show abstract

An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects

Cited by 78 publications

References 45 publications

Restoring Execution Environments of Jupyter Notebooks

Restoring Execution Environments of Jupyter Notebooks

B2SMatcher: fine-Grained version identification of open-Source software in binary files

Module Integration Using Graph Grammars (MIGRATE)

Contact Info

Product

Resources

About